-----BEGIN PGP SIGNED MESSAGE-----
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
======= ============ ====== ======
======= ============== ======= =======
=== === ==== ====== ======
=== =========== ======= =======
=== =========== === ======= ===
=== === ==== === ===== ===
======= ============== ===== === =====
======= ============ ===== = =====
EMERGENCY RESPONSE SERVICE
OUTSIDE ADVISORY REDISTRIBUTION
05 August 1996 12:00 GMT Number: ERS-OAR-E01-1996:013.1
===============================================================================
The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.
IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.
IBM-ERS is forwarding the following information from NASIRC. Contact
information for NASIRC is included in the forwarded text below; please
contact them if you have any questions or need further information.
===============================================================================
********************** FORWARDED INFORMATION STARTS HERE **********************
NASIRC BULLETIN B-96-33 August 02, 1996
Laroux Excel Macro Virus
===========================================================
NASA Automated Systems Incident Response Capability
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/\ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
Serving NASA and the International Aerospace Communities
===========================================================
This bulletin reports a recently announced security vulner-
ability. It may contain a workaround or software
patch. Bulletins should be considered urgent as vulnera-
bility information is likely to be widely known by the time
a patch is issued or other solutions are developed.
===========================================================
SYSTEMS AFFECTED
Systems running Microsoft Excel 5.x and 7.x on Windows 3.x,
Windows 95, and Windows NT are affected.
PROBLEM DESCRIPTION
The first "in the wild" Microsoft Excel macro virus, named
ExcelMacro/Laroux, was found in July 1996.
ExcelMacro/Laroux was written in Visual Basic for Applications
(VBA). This is a macro language based on the Visual Basic
language from Microsoft. This virus is able to operate in Excel
5.x and 7.x under Windows 3.x, Windows 95, and Windows NT. This
virus does not work under any version of Excel for Macintosh or
Excel 3.x or 4.x for Windows.
ExcelMacro/Laroux consists of two macros: auto_open and
check_files. The auto_open macro executes whenever a spreadsheet
is opened, followed by the check_files macro that determines the
startup path of Excel. If there is no file named "PERSONAL.XLS"
in the startup path, the virus creates one. This file contains a
module called "laroux".
The Laroux virus infects the "PERSONAL.XLS" file which, by
default, is found in "\MSOFFICE\EXCEL\XLSTART", but it can be
changed using Excel's Tools/Options/General/Alternate Startup
File menu option. The file name PERSONAL.XLS is a default file
name similar to NORMAL.DOT for Microsoft Word for Windows. Once
the "PERSONAL.XLS" file is infected, the macros will be copied to
new workbooks by adding a new module called "laroux", infecting
any created or accessed spreadsheets.
ExcelMacro/Laroux is not known to be destructive and contains no
obvious payload; it just replicates.
RECOMMENDED ACTIONS
To determine if users have the virus, they should:
1. Start Microsoft Excel.
2. Click Macro on the Tools menu.
3. Infection is likely if the following macro names are listed:
Auto_Open
Check_files
PERSONAL.XLS!auto_open
PERSONAL.XLS!check_files
4.If users have any infected workbooks open in the background, they may
also see the following names listed:
'bookname'!auto_open
'bookname'!check_files (where 'bookname'! is
the name of the open workbook)
Note: Before disinfecting files, users should confirm the
existence of the macro by clicking Unhide on the Window menu and
unhiding the PERSONAL.XLS file. Doing this should make the sheet
visible. Presence of the virus is indicated by the word "laroux" in
the sheet tab.
To manually disinfect ExcelMacro/Laroux, users should:
1. Start Microsoft Excel.
2. Click Macro on the Tools menu.
3. Delete any of the following macro names that appear in the workbook:
Auto_Open
Check_files
PERSONAL.XLS!auto_open
PERSONAL.XLS!check_files
4. Click Exit on the Microsoft Excel File menu, and click Yes to save all
changes. Microsoft Excel is now clean.
5. Continue to open all infected workbooks one by one. Press and hold the
shift key while opening them to bypass any automacros.
a. For each workbook, click Macro on the Tools menu and delete
the virus macros.
b. Click Save on the File menu and re-save the file.
Prevention
Users should reset the attributes for the PERSONAL.XLS file to
read-only. This protects PERSONAL.XLS so Laroux cannot
infect it. If PERSONAL.XLS does not exist on the system, users
should create an empty PERSONAL.XLS file and follow the above
procedure.
Detecting ExcelMacro/Laroux with F-PROT Professional:
F-PROT supports user-defined search strings to search for new viruses.
Users should add the following search string with the name
ExcelMacro/Laroux:
00 21 00 60 00 27 20 6A 00 20 20 6A 00 AD 00 01 00 5C 00 11
After this, users should check all Excel worksheets for infection. This
can be done by scanning all files or by adding "XL?" to the list
of file extensions to be scanned.
Infected files will be reported by F-PROT like this:
C:\SHEETS\CUSTOMER.XLS contains the ExcelMacro/Laroux search
string.
*Note: Microsoft Tools - A free tool to detect and clean infected
documents is currently being developed and will be available within the
next week on http://www.microsoft.com. NASIRC will obtain a copy and
place it in its ftp archives.
Vendor Information
The following list is not a NASIRC recommendation for any
product. This list is not exhaustive and is only provided as a
convenience.
Vendors Product Detects Eradicates
DataFellows Fprot yes Manually
Microsoft in development yes yes
Symantec SAM/NAM yes yes
McAfee McAfee Unspecified Unspecified
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ACKNOWLEDGMENTS: ASSIST and AT&T for bringing this
situation to NASIRC's attention.
BULLETIN AUTHOR: Tom Baxter
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This advisory may be forwarded without restriction. Persons
within the NASA community or operating in support of a NASA
contract may contact NASIRC with any questions about this
advisory.
Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853
International: +1-301-441-4398 STU III: 1-301-982-5480
Internet E-Mail: nasirc@nasa.gov
24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
WWW: http://nasirc.nasa.gov/NASIRC_home.html
FTP: nasirc.nasa.gov, login "anonymous"
Anyone requiring assistance or wishing to report a security
incident but not operating in support of NASA may contact the
Forum of Incident Response and Security Teams (FIRST), an
international organization of incident response teams, to
determine the appropriate team. A list of FIRST member
organizations and their constituencies may be obtained by
sending E-mail to "docserver@first.org" with an empty "subject"
line and a message body containing the line "send first-contacts"
or via WWW at http://www.first.org/ .
*********************** FORWARDED INFORMATION ENDS HERE ***********************
===============================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).
As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services. From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources. To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information. The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.
IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.
The information in this document is provided as a service to customers of
the IBM Emergency Response Service. Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries. The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---
-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
iQCVAwUBMgXsGPWDLGpfj4rlAQGGsAQAxGS/5I07QEwb0nnqZgtEX0NrqQdD1O2E
KyMHH1ZE6SIAmaBffNCnYO948YAzoSMEamGaw55tajVijOKZeuK6dQD1sMmvzn15
1I+m40TtGHmQYgdDiNbW+96X4VsSsrBm7Gp/J9sPEYkzDJ1sWSMViKI063HeQLEE
VSMxsm1meH8=
=Bchm
-----END PGP SIGNATURE-----